Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BuildTransitive targets and BinSkim issues #7

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

TheFieryScythe
Copy link

BuildTransitive

The targets that add p4bridge.dll to the output of the consuming assembly are not present within a buildTransitive folder in the current NuGet packages. I believe this means that if p4api is a nested, transitive dependency then the targets might not get applied, resulting in the top level assembly not having p4bridge in it's output. This change adds the targets to the buildTransitive folder.

BinSkim

When Microsoft BinSkim is executed over the p4api package contents the following issues are raised:

BA2022 - SignSecurely

p4api.net and p4bridge.dll both get flagged with this issue, as a result of being signed using a SHA1 digest algorithm. SHA256 is the required minimum to be compliant. This is not a change that can fixed by GitHub PR.

BA2008 - EnableControlFlowGuard

This check requires p4bridge.dll to be compiled with the /guard:cf flags and linked with the /guard:cf and /DYNAMICBASE flags when built with MSVC. This is a mitigation against malicious code injection into switch statements. I have attempted to add these flags to the CMake config, though due to issues linking with OpenSSL locally (also without this change) I have been unable to get p4bridge to build completely.

Architecture Packages

An additional observation, the nuspecs for all packages are largely identical meaning assemblies are being included in architecture packages that will never be used. For example the x86 package includes x64 assemblies, the net.core package references and targets net framework assemblies, etc. I have not changed these nuspecs under the assumption these are for backwards compatibility. Only a single multi targeting package would be necessary otherwise. The targets for x86 also mirrors this inconsistency by having conditions for x64 and AnyCPU, and adding x64 libraries to the build output for Linux and OSX.

@TheFieryScythe TheFieryScythe changed the title BuidlTransitive targets and BinSkim issues BuildTransitive targets and BinSkim issues Feb 7, 2023
@TheFieryScythe
Copy link
Author

Pinging last committer for visibility. @skardile-perforce

@skardile-perforce
Copy link
Contributor

Thanks @TheFieryScythe. Noted this. Will take a look at this for the next release.

@TheFieryScythe
Copy link
Author

The BinSkim security issues have not been resolved in the latest package.
The latest package also does not have transitive build targets.

@shraddhaborate
Copy link
Contributor

There has been multiple changes over time in p4api.net. We will handle all applicable issues in upcoming release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants